Information About Secure Client Communications

Encrypted Client-Server Communications

By default, communication between the Cisco DCNM-LAN client and server is unencrypted; however, you can enable secure client-server communications, which uses Transport Layer Security (TLS), a protocol based on the Secure Sockets Layer (SSL) 3.0 protocol. In particular, communications between the Cisco DCNM-LAN client and the EJB port on the Cisco DCNM-LAN server are encrypted when you enable secure client communications.

Enabling secure client communications does not affect how users download, install, and log into the Cisco DCNM-LAN client.

Firewall Support for Client-Server Communications

Cisco DCNM-LAN supports client-server connections across gateway devices such as a firewall; however, you must configure any gateway devices to allow the connections that the client must open to the Cisco DCNM-LAN server.

By default, the secondary server bind port is assigned a random port number when the Cisco DCNM-LAN server starts. To support client-server communications across a gateway device, you must configure the Cisco DCNM-LAN server to use a specific port for the secondary server bind service.

By default, Cisco DCNM Web Client uses HTTP. If you want to install SSL certificates and use Cisco DCNM Web Client over HTTPS (using TCP port 443 or another custom port), you need a certificate for each external IP address that accepts secure connections. You can purchase these certificates from a well-known Certificate Authority (CA).

To enable SSL, you must set up the keystore to use either a self-signed certificate or a certificate from a trusted third-party company such as VeriSign.

Step 2 Enter your name, organization, state, and country. Enter change it when prompted for a keystore password. If you prefer to use your own password, do not forget to change the keystorepass attribute in the server.xml file. When prompted for a key password, press Enter or use the same password as the keystore password.

Note You can now follow the steps in the next section for modifying DCNM Web Client to use SSL.

To obtain a certificate from the Certificate Authority of your choice, you must create a Certificate Signing Request (CSR). The CSR is used by the certificate authority to create a certificate that identifies your website as secure.

You must now have a file named certreq.csr. The file is encoded in PEM format. You can submit it to the certificate authority. You can find instructions for submitting the file on the Certificate Authority website.

Step 3 After you have your certificate, you can import it into your local keystore. You must first import a Chain Certificate or Root Certificate into your keystore. You can then import your certificate.

Step 4 Download a Chain Certificate from the Certificate Authority where you obtained the certificate:

Modifying Cisco DCNM Web Client to Use SSL

Step 1 Stop Cisco DCNM Web Client if you have already launched it. If you have installed the Cisco DCNM Web Client on Windows, you can stop the service using Windows Services under Administrative Tools.

Step 2 Use a text editor to open \jboss-4.2.2.GA\server\fm\deploy\jboss-web.deployer\server.xml from the directory where DCNM Web Client is installed. You see the following lines in the beginning after some copyright information:

Step 3 Comment the first <Connector> element and uncomment the second one. Note that the port changes from 8443 to 443 and keystore and keypass are added. Your file should look like the following example:

Step 2 When HTTPS is not enabled, copy the fmtrust.jks file from the server machine under <dcnm-server-install-folder>\dcm\jboss-4.2.2.GA\server\fm\conf to the client machine under .dcnm\certs (located in user home ) folder on the client machine. Once the file is copied, rename the file to truststore.

Step 3 When HTTPS is enabled, copy the fmserver.jks from the server machine under <dcnm-server-install-folder>\dcm\jboss-4.2.2.GA\server\fm\conf to the client machine under .dcnm\certs (located in user home ) folder on the client machine. Once the file is copied, rename the file to truststore.

Step 4 When Cisco DCNM is installed on Microsoft Windows, locate the dcnm-wrapper.conf file under <dcnm-server-install-folder>\dcm\dcnm\config. You will need to do the following in the dcnm-wrapper.conf file. Replace

where
INSTALL_DIR
is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.

Step 3 Find the following section in the file. Verify that the section you find matches the following lines exactly.

b. In the last line of the section, add the following two characters after mbean:

--

The changed line should read as follows:

</mbean-->

Step 7 Save and close the jboss-service.xml file.

Step 8 In a text editor, open the jboss-service.xml file that is at the following location:

INSTALL_DIR
\dcm\jboss-4.2.2.GA\server\dcnm\conf\jboss-service.xml

Note This is a different jboss-service.xml file than you opened in Step 2.

Step 9 Find the following section in the file.

cisco.dcnm.remoting.transport=socket

cisco.dcnm.remoting.port=3873

cisco.dcnm.remoting.ejbport=3873

cisco.dcnm.remoting.sslejbport=3843

cisco.dcnm.remoting.client.invokerDestructionDelay=0

The port numbers at the end of the last three lines may vary from this example, depending upon whether the default port numbers were changed during the Cisco DCNM-LAN server installation.

Step 10 Change the cisco.dcnm.remoting.transport value to sslsocket. The changed line should read as follows:

cisco.dcnm.remoting.transport=sslsocket

Step 11 Change the cisco.dcnm.remoting.port value to match the value specified for cisco.dcnm.remoting.sslejbport. For example, if the Cisco DCNM-LAN server is configured to use the default SSL port, the cisco.dcnm.remoting.sslejbport value is 3843 and the changed line would read as follows:

cisco.dcnm.remoting.port=3843

Step 12 Change the cisco.dcnm.remoting.client.invokerDestructionDelay value to 30000. The changed line should read as follows:

cisco.dcnm.remoting.client.invokerDestructionDelay=30000

Step 13 Save and close the jboss-service.xml file.

Step 14 Do one of the following:

If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.

If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.

For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the
Cisco DCNM Fundamentals Guide, Release 6.x
.

Disabling Encrypted Client-Server Communications

You can disable secure client communications.

If your Cisco DCNM-LAN deployment is a clustered-server deployment, you must perform the following steps on each server in the cluster.

where
INSTALL_DIR
is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.

Step 3 Find the following section in the file. Verify that the section you find matches the following lines exactly.

b. In the last line of the section, add the following two characters after mbean:

--

The changed line should read as follows:

</mbean-->

Step 7 Save and close the jboss-service.xml file.

Step 8 In a text editor, open the jboss-service.xml file that is at the following location:

INSTALL_DIR
\dcm\jboss-4.2.2.GA\server\dcnm\conf\jboss-service.xml

Note This is a different jboss-service.xml file than you opened in Step 2.

Step 9 Find the following section in the file.

cisco.dcnm.remoting.transport=sslsocket

cisco.dcnm.remoting.port=3843

cisco.dcnm.remoting.ejbport=3873

cisco.dcnm.remoting.sslejbport=3843

cisco.dcnm.remoting.client.invokerDestructionDelay=30000

The port numbers at the end of the last three lines may vary from this example, depending upon whether the default port numbers were changed during Cisco DCNM-LAN server installation.

Step 10 Change the cisco.dcnm.remoting.transport value to socket. The changed line should read as follows:

cisco.dcnm.remoting.transport=socket

Step 11 Change the cisco.dcnm.remoting.port value to match the value specified for cisco.dcnm.remoting.ejbport. For example, if the Cisco DCNM-LAN server is configured to use the default EJB port, the cisco.dcnm.remoting.ejbport value is 3873 and the changed line would read as follows:

cisco.dcnm.remoting.port=3873

Step 12 Change the cisco.dcnm.remoting.client.invokerDestructionDelay value to 0. The changed line should read as follows:

cisco.dcnm.remoting.client.invokerDestructionDelay=0

Step 13 Save and close the jboss-service.xml file.

Step 14 Do one of the following:

If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.

If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.

For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the
Cisco DCNM Fundamentals Guide, Release 6.x
.

Specifying a Secondary Server Bind Port

You can configure a Cisco DCNM-LAN server to use a specific secondary server bind port.

If your Cisco DCNM-LAN deployment is a clustered-server deployment, you must perform this procedure on each server in the cluster.

where
INSTALL_DIR
is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.

Step 3 Find the following section in the file. Verify that the section you find includes the secondaryBindPort line.

<!-- Use these parameters to specify values for binding and connecting control connections to work with your firewall/NAT configuration

<attribute name="secondaryBindPort">48227</attribute>

<attribute name="secondaryConnectPort">48227</attribute>

-->

By default, the section is commented out using the standard XML comment markers, <!-- and -->.

If you have previously specified a secondary server bind port, the section is not commented out.

Step 4 If the section is commented out, uncomment the secondaryBindPort line, as follows:

a. At the end of the second line of the section, add the following three characters from after configuration:

-->

The changed line should read as follows:

to work with your firewall/NAT configuration-->

b. At the beginning of the fourth line of the section, add the following four characters:

<!--

The changed line should read as follows:

<!-- <attribute name="secondaryConnectPort">abc</attribute>

After you uncomment the section, it should read as follows:

<!-- Use these parameters to specify values for binding and connecting control connections to work with your firewall/NAT configuration-->

<attribute name="secondaryBindPort">48227</attribute>

<!--<attribute name="secondaryConnectPort">48227</attribute>

-->

Step 5 In the secondaryConnectPort line, specify a port number between the opening and closing attribute elements. For example, if you want to specify port 47900, the secondaryBindPort line should read as follows:

<attribute name="secondaryBindPort">47900</attribute>

Step 6 Save and close the remoting-bisocket-service.xml file.

Step 7 Do one of the following:

If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.

If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.

For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the
Cisco DCNM Fundamentals Guide, Release 6.x
.

Information About SMTP Servers

The Cisco DCNM-LAN client supports a feature where you can specify rising or falling threshold rules for sample variables in collected statistical data. When one of these thresholds has been crossed, you can specify that an e-mail alert be sent. The Cisco DCNM-LAN server can be configured to send e-mail to an SMTP server.

For more information about stopping Cisco DCNM-LAN, see the
Cisco DCNM Fundamentals Guide, Release 6.x
.

Step 2 In a text editor, open the mail-service.xml file at the following location:

INSTALL_DIR
\dcm\jboss-4.2.2.GA\server\dcnm\deploy\mail-service.xml

where
INSTALL_DIR
is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.

Step 3 Find the mail.smtp.host property value and modify it to specify the SMTP gateway server.

If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.

If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.

For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the
Cisco DCNM Fundamentals Guide, Release 6.x
.

Configuring for SMTP Servers for Cisco DCNM Release 6.3(1) and Further Releases

Perform the following steps to configure SMTP server for JBOSS 7.

Step 1 Enter the SMTP server details should be provided in the server configuration file.